Connecticut’s Updated Cybersecurity Law Now Protects Patient Data 

July 14, 2021 - A newly signed Connecticut cybersecurity law will now allow for the protection of patient data and other private health information. 

An Act Concerning Data Privacy Breaches, which Connecticut Governor Ned Lamont officially signed into law on June 16, is updated to now include patient data and medical information as part of the private personal information protected under this cybersecurity law. 

An individual’s “medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (viii) health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual...” are now included in the Connecticut law, which Governor Ned Lamont signed into law last month.  

Connecticut Attorney General William Tong said in a statement that the data privacy law is “a measure sought by the Office of the Attorney General to update and strengthen Connecticut’s breach notification statute.” 
 
“Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so,” Tong said in the statement.  
 
In 2005, Connecticut passed one of the nation’s first laws protecting consumers from online data breaches, Tong said in the statement. “Since then, technology and associated risks have evolved. The legislation broadens the definition of ‘personal information’ to include additional categories such as medical information, online account information, passport numbers, military identification, and health insurance account numbers.” 

This bill also shortens the deadline to notify “individuals and the Office of the Attorney General of a security breach from 90 days to 60 days, which is in line with recent amendments passed in other states.” 

Governor Lamont also signed a second cybersecurity bill into law on July 6, according to the JDSupra report.  

An Act Incentivizing The Adoption of Cybersecurity Standards For Businesses, sponsored by State Representative Caroline Simmons, “works to add safeguards and bolster our cybersecurity defenses to better protect businesses and consumers from cyber threats,” Simmons said in a statement. 

The new law, according to the JDSupra report, “will establish an affirmative defense against tort claims alleging that a business's failure to implement reasonable cybersecurity controls caused a data breach. Businesses that have created, maintained, and complied with a written cybersecurity program can take advantage of this ‘safe harbor’ if their written cybersecurity program complies with one or more of the industry-recognized frameworks (such as the National Institute of Standards and Technology's Cybersecurity Framework or the Center for Internet Security's Critical Security Controls) or applicable federal laws (such as the cybersecurity requirements of the Health Insurance Portability and Accountability Act.)”  

Both laws take effect on October 1, 2021, according to a JDSupra report.